Hello community, here is the log from the commit of package qemu for openSUSE:Leap:15.2 checked in at 2020-04-21 19:04:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/qemu (Old) and /work/SRC/openSUSE:Leap:15.2/.qemu.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Tue Apr 21 19:04:03 2020 rev:103 rq:795385 version:4.2.0 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/qemu/qemu.changes 2020-03-27 16:43:29.747770172 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.qemu.new.2738/qemu.changes 2020-04-21 19:04:04.547565699 +0200 @@ -1,0 +2,65 @@ +Fri Apr 17 19:23:38 UTC 2020 - Bruce Rogers <[email protected]> + +- Include upstream patches targeted for the next stable release + (bug fixes only) + spapr-Fix-failure-path-for-attempting-to.patch + target-i386-do-not-set-unsupported-VMX-s.patch + target-xtensa-fix-pasto-in-pfwait.r-opco.patch + tcg-i386-Fix-INDEX_op_dup2_vec.patch + tcg-mips-mips-sync-encode-error.patch + vhost-user-gpu-Release-memory-returned-b.patch + vpc-Don-t-round-up-already-aligned-BAT-s.patch + xen-block-Fix-double-qlist-remove-and-re.patch +- Fix bug causing weak encryption in PAuth for ARM + (CVE-2020-10702 bsc#1168681) + target-arm-Fix-PAuth-sbox-functions.patch +- Fix OOB in tulip NIC emulation (CVE-2020-11102 bsc#1168713 + net-tulip-check-frame-size-and-r-w-data-.patch +- Note that previously included patch addresses CVE-2020-1711 + and bsc#1166240 + iscsi-Cap-block-count-from-GET-LBA-STATU.patch +- Include performance improvement (and related?) patch + aio-wait-delegate-polling-of-main-AioCon.patch + async-use-explicit-memory-barriers.patch +- Rework previous patch at Olaf H.'s direction + hw-i386-disable-smbus-migration-for-xenf.patch +- Eliminate is_opensuse usage in producing seabios version string + what we are doing here is just replacing the upstream string + with one indicating that the openSUSE build service built it, + and so just leave it as "-rebuilt.opensuse.org" +- Alter algorithm used to produce "unique" symbol for coordinating + qemu with the optional modules it may load. This is a reasonable + relaxation for broader compatibility + configure-remove-pkgversion-from-CONFIG_.patch +- Tweak supported.*.txt for latest deprecations, and other fixes +- Tweak update_git.sh, config.sh + +------------------------------------------------------------------- +Mon Apr 6 14:29:50 UTC 2020 - Bruce Rogers <[email protected]> + +- One more fix is needed for: s390x Protected Virtualization support + - start and control guest in secure mode (bsc#1167075 jsc#SLE-7407) + s390x-s390-virtio-ccw-Fix-build-on-syste.patch + +------------------------------------------------------------------- +Thu Mar 26 18:28:03 UTC 2020 - Bruce Rogers <[email protected]> + +- Include upstream patches targeted for the next stable release + (bug fixes only) + block-Avoid-memleak-on-qcow2-image-info-.patch + block-bdrv_set_backing_bs-fix-use-after-.patch + hmp-vnc-Fix-info-vnc-list-leak.patch + migration-colo-fix-use-after-free-of-loc.patch + migration-ram-fix-use-after-free-of-loca.patch + ppc-ppc405_boards-Remove-unnecessary-NUL.patch + qcow2-List-autoclear-bit-names-in-header.patch + scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch + sheepdog-Consistently-set-bdrv_has_zero_.patch + +------------------------------------------------------------------- +Tue Mar 24 13:22:36 UTC 2020 - Bruce Rogers <[email protected]> + +- Note The previous set of s390x patches also includes the fix for: + bsc#1167445 + +------------------------------------------------------------------- New: ---- aio-wait-delegate-polling-of-main-AioCon.patch async-use-explicit-memory-barriers.patch block-Avoid-memleak-on-qcow2-image-info-.patch block-bdrv_set_backing_bs-fix-use-after-.patch configure-remove-pkgversion-from-CONFIG_.patch hmp-vnc-Fix-info-vnc-list-leak.patch migration-colo-fix-use-after-free-of-loc.patch migration-ram-fix-use-after-free-of-loca.patch net-tulip-check-frame-size-and-r-w-data-.patch ppc-ppc405_boards-Remove-unnecessary-NUL.patch qcow2-List-autoclear-bit-names-in-header.patch s390x-s390-virtio-ccw-Fix-build-on-syste.patch scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch sheepdog-Consistently-set-bdrv_has_zero_.patch spapr-Fix-failure-path-for-attempting-to.patch target-arm-Fix-PAuth-sbox-functions.patch target-i386-do-not-set-unsupported-VMX-s.patch target-xtensa-fix-pasto-in-pfwait.r-opco.patch tcg-i386-Fix-INDEX_op_dup2_vec.patch tcg-mips-mips-sync-encode-error.patch vhost-user-gpu-Release-memory-returned-b.patch vpc-Don-t-round-up-already-aligned-BAT-s.patch xen-block-Fix-double-qlist-remove-and-re.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:09.083575175 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:09.087575183 +0200 @@ -203,76 +203,99 @@ Patch00073: job-refactor-progress-to-separate-object.patch Patch00074: block-block-copy-fix-progress-calculatio.patch Patch00075: block-io-fix-bdrv_co_do_copy_on_readv.patch -Patch00076: target-ppc-Fix-rlwinm-on-ppc64.patch -Patch00077: compat-disable-edid-on-correct-virtio-gp.patch -Patch00078: XXX-dont-dump-core-on-sigabort.patch -Patch00079: qemu-binfmt-conf-Modify-default-path.patch -Patch00080: qemu-cvs-gettimeofday.patch -Patch00081: qemu-cvs-ioctl_debug.patch -Patch00082: qemu-cvs-ioctl_nodirection.patch -Patch00083: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00084: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00085: linux-user-binfmt-support-host-binaries.patch -Patch00086: linux-user-Fake-proc-cpuinfo.patch -Patch00087: linux-user-use-target_ulong.patch -Patch00088: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00089: linux-user-lseek-explicitly-cast-non-set.patch -Patch00090: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00091: xen_disk-Add-suse-specific-flush-disable.patch -Patch00092: qemu-bridge-helper-reduce-security-profi.patch -Patch00093: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00094: linux-user-properly-test-for-infinite-ti.patch -Patch00095: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00096: Raise-soft-address-space-limit-to-hard-l.patch -Patch00097: increase-x86_64-physical-bits-to-42.patch -Patch00098: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00099: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00100: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00101: Switch-order-of-libraries-for-mpath-supp.patch -Patch00102: Make-installed-scripts-explicitly-python.patch -Patch00103: hw-smbios-handle-both-file-formats-regar.patch -Patch00104: xen-add-block-resize-support-for-xen-dis.patch -Patch00105: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00106: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00107: xen-ignore-live-parameter-from-xen-save-.patch -Patch00108: Conditionalize-ui-bitmap-installation-be.patch -Patch00109: tests-change-error-message-in-test-162.patch -Patch00110: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00111: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00112: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00113: configure-only-populate-roms-if-softmmu.patch -Patch00114: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00115: roms-change-cross-compiler-naming-to-be-.patch -Patch00116: tests-Disable-some-block-tests-for-now.patch -Patch00117: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00118: roms-Makefile-enable-cross-compile-for-b.patch -Patch00119: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00120: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00121: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00122: s390x-Move-initial-reset.patch -Patch00123: s390x-Move-clear-reset.patch -Patch00124: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00125: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00126: s390x-Beautify-diag308-handling.patch -Patch00127: s390x-Add-missing-vcpu-reset-functions.patch -Patch00128: pc-bios-s390x-Save-iplb-location-in-lowc.patch -Patch00129: s390-sclp-improve-special-wait-psw-logic.patch -Patch00130: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00131: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00132: Sync-pv.patch -Patch00133: s390x-protvirt-Support-unpack-facility.patch -Patch00134: s390x-protvirt-Add-migration-blocker.patch -Patch00135: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00136: s390x-protvirt-KVM-intercept-changes.patch -Patch00137: s390x-Add-SIDA-memory-ops.patch -Patch00138: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00139: s390x-protvirt-SCLP-interpretation.patch -Patch00140: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00141: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00142: s390x-protvirt-Disable-address-checks-fo.patch -Patch00143: s390x-protvirt-Move-IO-control-structure.patch -Patch00144: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00145: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00076: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch +Patch00077: target-ppc-Fix-rlwinm-on-ppc64.patch +Patch00078: compat-disable-edid-on-correct-virtio-gp.patch +Patch00079: ppc-ppc405_boards-Remove-unnecessary-NUL.patch +Patch00080: block-Avoid-memleak-on-qcow2-image-info-.patch +Patch00081: block-bdrv_set_backing_bs-fix-use-after-.patch +Patch00082: hmp-vnc-Fix-info-vnc-list-leak.patch +Patch00083: migration-colo-fix-use-after-free-of-loc.patch +Patch00084: migration-ram-fix-use-after-free-of-loca.patch +Patch00085: qcow2-List-autoclear-bit-names-in-header.patch +Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch +Patch00087: target-arm-Fix-PAuth-sbox-functions.patch +Patch00088: tcg-i386-Fix-INDEX_op_dup2_vec.patch +Patch00089: net-tulip-check-frame-size-and-r-w-data-.patch +Patch00090: target-i386-do-not-set-unsupported-VMX-s.patch +Patch00091: spapr-Fix-failure-path-for-attempting-to.patch +Patch00092: xen-block-Fix-double-qlist-remove-and-re.patch +Patch00093: vpc-Don-t-round-up-already-aligned-BAT-s.patch +Patch00094: target-xtensa-fix-pasto-in-pfwait.r-opco.patch +Patch00095: aio-wait-delegate-polling-of-main-AioCon.patch +Patch00096: async-use-explicit-memory-barriers.patch +Patch00097: tcg-mips-mips-sync-encode-error.patch +Patch00098: vhost-user-gpu-Release-memory-returned-b.patch +Patch00099: XXX-dont-dump-core-on-sigabort.patch +Patch00100: qemu-binfmt-conf-Modify-default-path.patch +Patch00101: qemu-cvs-gettimeofday.patch +Patch00102: qemu-cvs-ioctl_debug.patch +Patch00103: qemu-cvs-ioctl_nodirection.patch +Patch00104: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00105: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00106: linux-user-binfmt-support-host-binaries.patch +Patch00107: linux-user-Fake-proc-cpuinfo.patch +Patch00108: linux-user-use-target_ulong.patch +Patch00109: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00110: linux-user-lseek-explicitly-cast-non-set.patch +Patch00111: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00112: xen_disk-Add-suse-specific-flush-disable.patch +Patch00113: qemu-bridge-helper-reduce-security-profi.patch +Patch00114: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00115: linux-user-properly-test-for-infinite-ti.patch +Patch00116: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00117: Raise-soft-address-space-limit-to-hard-l.patch +Patch00118: increase-x86_64-physical-bits-to-42.patch +Patch00119: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00120: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00121: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00122: Switch-order-of-libraries-for-mpath-supp.patch +Patch00123: Make-installed-scripts-explicitly-python.patch +Patch00124: hw-smbios-handle-both-file-formats-regar.patch +Patch00125: xen-add-block-resize-support-for-xen-dis.patch +Patch00126: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00127: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00128: xen-ignore-live-parameter-from-xen-save-.patch +Patch00129: Conditionalize-ui-bitmap-installation-be.patch +Patch00130: tests-change-error-message-in-test-162.patch +Patch00131: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00132: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00133: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00134: configure-only-populate-roms-if-softmmu.patch +Patch00135: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00136: roms-change-cross-compiler-naming-to-be-.patch +Patch00137: tests-Disable-some-block-tests-for-now.patch +Patch00138: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00139: roms-Makefile-enable-cross-compile-for-b.patch +Patch00140: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00141: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00142: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00143: s390x-Move-initial-reset.patch +Patch00144: s390x-Move-clear-reset.patch +Patch00145: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00146: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00147: s390x-Beautify-diag308-handling.patch +Patch00148: s390x-Add-missing-vcpu-reset-functions.patch +Patch00149: pc-bios-s390x-Save-iplb-location-in-lowc.patch +Patch00150: s390-sclp-improve-special-wait-psw-logic.patch +Patch00151: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00152: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00153: Sync-pv.patch +Patch00154: s390x-protvirt-Support-unpack-facility.patch +Patch00155: s390x-protvirt-Add-migration-blocker.patch +Patch00156: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00157: s390x-protvirt-KVM-intercept-changes.patch +Patch00158: s390x-Add-SIDA-memory-ops.patch +Patch00159: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00160: s390x-protvirt-SCLP-interpretation.patch +Patch00161: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00162: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00163: s390x-protvirt-Disable-address-checks-fo.patch +Patch00164: s390x-protvirt-Move-IO-control-structure.patch +Patch00165: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00166: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00167: s390x-s390-virtio-ccw-Fix-build-on-syste.patch +Patch00168: configure-remove-pkgversion-from-CONFIG_.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1134,6 +1157,29 @@ %patch00143 -p1 %patch00144 -p1 %patch00145 -p1 +%patch00146 -p1 +%patch00147 -p1 +%patch00148 -p1 +%patch00149 -p1 +%patch00150 -p1 +%patch00151 -p1 +%patch00152 -p1 +%patch00153 -p1 +%patch00154 -p1 +%patch00155 -p1 +%patch00156 -p1 +%patch00157 -p1 +%patch00158 -p1 +%patch00159 -p1 +%patch00160 -p1 +%patch00161 -p1 +%patch00162 -p1 +%patch00163 -p1 +%patch00164 -p1 +%patch00165 -p1 +%patch00166 -p1 +%patch00167 -p1 +%patch00168 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1282,7 +1328,7 @@ cd %mybuilddir %endif -%{_builddir}/%buildsubdir/configure \ +../%buildsubdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ --libdir=%_libdir \ @@ -1520,11 +1566,7 @@ %endif make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms bios \ -%if 0%{?is_opensuse} == 0 - SEABIOS_EXTRAVERSION="-rebuilt.suse.com" \ -%else SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \ -%endif %ifnarch %ix86 x86_64 HOSTCC=cc \ %endif ++++++ aio-wait-delegate-polling-of-main-AioCon.patch ++++++ From: Paolo Bonzini <[email protected]> Date: Tue, 7 Apr 2020 10:07:45 -0400 Subject: aio-wait: delegate polling of main AioContext if BQL not held Git-commit: 3c18a92dc4b55ca8cc37a755ed119f11c0f34099 Any thread that is not a iothread returns NULL for qemu_get_current_aio_context(). As a result, it would also return true for in_aio_context_home_thread(qemu_get_aio_context()), causing AIO_WAIT_WHILE to invoke aio_poll() directly. This is incorrect if the BQL is not held, because aio_poll() does not expect to run concurrently from multiple threads, and it can actually happen when savevm writes to the vmstate file from the migration thread. Therefore, restrict in_aio_context_home_thread to return true for the main AioContext only if the BQL is held. The function is moved to aio-wait.h because it is mostly used there and to avoid a circular reference between main-loop.h and block/aio.h. Signed-off-by: Paolo Bonzini <[email protected]> Message-Id: <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- include/block/aio-wait.h | 22 ++++++++++++++++++++++ include/block/aio.h | 29 ++++++++++------------------- 2 files changed, 32 insertions(+), 19 deletions(-) diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h index afeeb18f95ebb593982b5d3f8917..716d2639df708f03e3f29d68315b 100644 --- a/include/block/aio-wait.h +++ b/include/block/aio-wait.h @@ -26,6 +26,7 @@ #define QEMU_AIO_WAIT_H #include "block/aio.h" +#include "qemu/main-loop.h" /** * AioWait: @@ -124,4 +125,25 @@ void aio_wait_kick(void); */ void aio_wait_bh_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque); +/** + * in_aio_context_home_thread: + * @ctx: the aio context + * + * Return whether we are running in the thread that normally runs @ctx. Note + * that acquiring/releasing ctx does not affect the outcome, each AioContext + * still only has one home thread that is responsible for running it. + */ +static inline bool in_aio_context_home_thread(AioContext *ctx) +{ + if (ctx == qemu_get_current_aio_context()) { + return true; + } + + if (ctx == qemu_get_aio_context()) { + return qemu_mutex_iothread_locked(); + } else { + return false; + } +} + #endif /* QEMU_AIO_WAIT_H */ diff --git a/include/block/aio.h b/include/block/aio.h index 6b0d52f732b86caef07602281574..9d28e247df7f0d3a556644fcd9d1 100644 --- a/include/block/aio.h +++ b/include/block/aio.h @@ -60,12 +60,16 @@ struct AioContext { QLIST_HEAD(, AioHandler) aio_handlers; /* Used to avoid unnecessary event_notifier_set calls in aio_notify; - * accessed with atomic primitives. If this field is 0, everything - * (file descriptors, bottom halves, timers) will be re-evaluated - * before the next blocking poll(), thus the event_notifier_set call - * can be skipped. If it is non-zero, you may need to wake up a - * concurrent aio_poll or the glib main event loop, making - * event_notifier_set necessary. + * only written from the AioContext home thread, or under the BQL in + * the case of the main AioContext. However, it is read from any + * thread so it is still accessed with atomic primitives. + * + * If this field is 0, everything (file descriptors, bottom halves, + * timers) will be re-evaluated before the next blocking poll() or + * io_uring wait; therefore, the event_notifier_set call can be + * skipped. If it is non-zero, you may need to wake up a concurrent + * aio_poll or the glib main event loop, making event_notifier_set + * necessary. * * Bit 0 is reserved for GSource usage of the AioContext, and is 1 * between a call to aio_ctx_prepare and the next call to aio_ctx_check. @@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co); */ AioContext *qemu_get_current_aio_context(void); -/** - * in_aio_context_home_thread: - * @ctx: the aio context - * - * Return whether we are running in the thread that normally runs @ctx. Note - * that acquiring/releasing ctx does not affect the outcome, each AioContext - * still only has one home thread that is responsible for running it. - */ -static inline bool in_aio_context_home_thread(AioContext *ctx) -{ - return ctx == qemu_get_current_aio_context(); -} - /** * aio_context_setup: * @ctx: the aio context ++++++ async-use-explicit-memory-barriers.patch ++++++ From: Paolo Bonzini <[email protected]> Date: Tue, 7 Apr 2020 10:07:46 -0400 Subject: async: use explicit memory barriers Git-commit: 5710a3e09f9b85801e5ce70797a4a511e5fc9e2c When using C11 atomics, non-seqcst reads and writes do not participate in the total order of seqcst operations. In util/async.c and util/aio-posix.c, in particular, the pattern that we use write ctx->notify_me write bh->scheduled read bh->scheduled read ctx->notify_me if !bh->scheduled, sleep if ctx->notify_me, notify needs to use seqcst operations for both the write and the read. In general this is something that we do not want, because there can be many sources that are polled in addition to bottom halves. The alternative is to place a seqcst memory barrier between the write and the read. This also comes with a disadvantage, in that the memory barrier is implicit on strongly-ordered architectures and it wastes a few dozen clock cycles. Fortunately, ctx->notify_me is never written concurrently by two threads, so we can assert that and relax the writes to ctx->notify_me. The resulting solution works and performs well on both aarch64 and x86. Note that the atomic_set/atomic_read combination is not an atomic read-modify-write, and therefore it is even weaker than C11 ATOMIC_RELAXED; on x86, ATOMIC_RELAXED compiles to a locked operation. Analyzed-by: Ying Fang <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> Tested-by: Ying Fang <[email protected]> Message-Id: <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- util/aio-posix.c | 16 ++++++++++++++-- util/aio-win32.c | 17 ++++++++++++++--- util/async.c | 16 ++++++++++++---- 3 files changed, 40 insertions(+), 9 deletions(-) diff --git a/util/aio-posix.c b/util/aio-posix.c index a4977f538ef28d56178267a1795c..fe2a46c439fa1505f5f688274566 100644 --- a/util/aio-posix.c +++ b/util/aio-posix.c @@ -616,6 +616,11 @@ bool aio_poll(AioContext *ctx, bool blocking) int64_t timeout; int64_t start = 0; + /* + * There cannot be two concurrent aio_poll calls for the same AioContext (or + * an aio_poll concurrent with a GSource prepare/check/dispatch callback). + * We rely on this below to avoid slow locked accesses to ctx->notify_me. + */ assert(in_aio_context_home_thread(ctx)); /* aio_notify can avoid the expensive event_notifier_set if @@ -626,7 +631,13 @@ bool aio_poll(AioContext *ctx, bool blocking) * so disable the optimization now. */ if (blocking) { - atomic_add(&ctx->notify_me, 2); + atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); + /* + * Write ctx->notify_me before computing the timeout + * (reading bottom half flags, etc.). Pairs with + * smp_mb in aio_notify(). + */ + smp_mb(); } qemu_lockcnt_inc(&ctx->list_lock); @@ -671,7 +682,8 @@ bool aio_poll(AioContext *ctx, bool blocking) } if (blocking) { - atomic_sub(&ctx->notify_me, 2); + /* Finish the poll before clearing the flag. */ + atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); aio_notify_accept(ctx); } diff --git a/util/aio-win32.c b/util/aio-win32.c index a23b9c364db3a764a3e00c6b62e9..729d533faf4d807e0a5388edd2af 100644 --- a/util/aio-win32.c +++ b/util/aio-win32.c @@ -321,6 +321,12 @@ bool aio_poll(AioContext *ctx, bool blocking) int count; int timeout; + /* + * There cannot be two concurrent aio_poll calls for the same AioContext (or + * an aio_poll concurrent with a GSource prepare/check/dispatch callback). + * We rely on this below to avoid slow locked accesses to ctx->notify_me. + */ + assert(in_aio_context_home_thread(ctx)); progress = false; /* aio_notify can avoid the expensive event_notifier_set if @@ -331,7 +337,13 @@ bool aio_poll(AioContext *ctx, bool blocking) * so disable the optimization now. */ if (blocking) { - atomic_add(&ctx->notify_me, 2); + atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); + /* + * Write ctx->notify_me before computing the timeout + * (reading bottom half flags, etc.). Pairs with + * smp_mb in aio_notify(). + */ + smp_mb(); } qemu_lockcnt_inc(&ctx->list_lock); @@ -364,8 +376,7 @@ bool aio_poll(AioContext *ctx, bool blocking) ret = WaitForMultipleObjects(count, events, FALSE, timeout); if (blocking) { assert(first); - assert(in_aio_context_home_thread(ctx)); - atomic_sub(&ctx->notify_me, 2); + atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); aio_notify_accept(ctx); } diff --git a/util/async.c b/util/async.c index b1fa5319e5bc7830d50108f91139..c65c58bbc9f57bf1bbdb6acd5fd1 100644 --- a/util/async.c +++ b/util/async.c @@ -220,7 +220,14 @@ aio_ctx_prepare(GSource *source, gint *timeout) { AioContext *ctx = (AioContext *) source; - atomic_or(&ctx->notify_me, 1); + atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) | 1); + + /* + * Write ctx->notify_me before computing the timeout + * (reading bottom half flags, etc.). Pairs with + * smp_mb in aio_notify(). + */ + smp_mb(); /* We assume there is no timeout already supplied */ *timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)); @@ -238,7 +245,8 @@ aio_ctx_check(GSource *source) AioContext *ctx = (AioContext *) source; QEMUBH *bh; - atomic_and(&ctx->notify_me, ~1); + /* Finish computing the timeout before clearing the flag. */ + atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) & ~1); aio_notify_accept(ctx); for (bh = ctx->first_bh; bh; bh = bh->next) { @@ -343,10 +351,10 @@ LinuxAioState *aio_get_linux_aio(AioContext *ctx) void aio_notify(AioContext *ctx) { /* Write e.g. bh->scheduled before reading ctx->notify_me. Pairs - * with atomic_or in aio_ctx_prepare or atomic_add in aio_poll. + * with smp_mb in aio_ctx_prepare or aio_poll. */ smp_mb(); - if (ctx->notify_me) { + if (atomic_read(&ctx->notify_me)) { event_notifier_set(&ctx->notifier); atomic_mb_set(&ctx->notified, true); } ++++++ block-Avoid-memleak-on-qcow2-image-info-.patch ++++++ From: Eric Blake <[email protected]> Date: Fri, 20 Mar 2020 13:36:20 -0500 Subject: block: Avoid memleak on qcow2 image info failure Git-commit: 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7 If we fail to get bitmap info, we must not leak the encryption info. Fixes: b8968c875f403 Fixes: Coverity CID 1421894 Signed-off-by: Eric Blake <[email protected]> Message-Id: <[email protected]> Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]> Reviewed-by: Andrey Shinkevich <[email protected]> Tested-by: Andrey Shinkevich <[email protected]> Signed-off-by: Max Reitz <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- block/qcow2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/block/qcow2.c b/block/qcow2.c index 7c18721741eacfb7f6c2c1f0efe6..13e118e16f02f371c0f23c7aaa8d 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs, if (local_err) { error_propagate(errp, local_err); qapi_free_ImageInfoSpecific(spec_info); + qapi_free_QCryptoBlockInfo(encrypt_info); return NULL; } *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){ ++++++ block-bdrv_set_backing_bs-fix-use-after-.patch ++++++ From: Vladimir Sementsov-Ogievskiy <[email protected]> Date: Mon, 16 Mar 2020 09:06:30 +0300 Subject: block: bdrv_set_backing_bs: fix use-after-free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4 There is a use-after-free possible: bdrv_unref_child() leaves bs->backing freed but not NULL. bdrv_attach_child may produce nested polling loop due to drain, than access of freed pointer is possible. I've produced the following crash on 30 iotest with modified code. It does not reproduce on master, but still seems possible: #0 __strcmp_avx2 () at /lib64/libc.so.6 #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350 #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404 #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063 #4 bdrv_replace_child_noperm (child=child@entry=0x55c9d48e5520, new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290 #5 bdrv_replace_child (child=child@entry=0x55c9d48e5520, new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320 #6 bdrv_root_attach_child (child_bs=child_bs@entry=0x55c9d3cc2060, child_name=child_name@entry=0x55c9d241d478 "backing", child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, ctx=<optimized out>, perm=<optimized out>, shared_perm=21, opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424 #7 bdrv_attach_child (parent_bs=parent_bs@entry=0x55c9d3c5a3d0, child_bs=child_bs@entry=0x55c9d3cc2060, child_name=child_name@entry=0x55c9d241d478 "backing", child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, errp=errp@entry=0x7ffd117108e0) at block.c:5876 #8 in bdrv_set_backing_hd (bs=bs@entry=0x55c9d3c5a3d0, backing_hd=backing_hd@entry=0x55c9d3cc2060, errp=errp@entry=0x7ffd117108e0) at block.c:2576 #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150 #10 job_prepare (job=0x55c9d49d84a0) at job.c:761 #11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at job.c:145 #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778 #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832 #14 job_completed (job=0x55c9d49d84a0) at job.c:845 #15 job_completed (job=0x55c9d49d84a0) at job.c:836 #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864 #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117 #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117 #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720, blocking=blocking@entry=true) at util/aio-posix.c:728 #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0) at block/io.c:121 #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0, poll=poll@entry=true) at block/io.c:114 #22 bdrv_replace_child_noperm (child=child@entry=0x55c9d3d558f0, new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258 #23 bdrv_replace_child (child=child@entry=0x55c9d3d558f0, new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320 #24 bdrv_root_attach_child (child_bs=child_bs@entry=0x55c9d3d27300, child_name=child_name@entry=0x55c9d241d478 "backing", child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, ctx=<optimized out>, perm=<optimized out>, shared_perm=21, opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424 #25 bdrv_attach_child (parent_bs=parent_bs@entry=0x55c9d3cc2060, child_bs=child_bs@entry=0x55c9d3d27300, child_name=child_name@entry=0x55c9d241d478 "backing", child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, errp=errp@entry=0x7ffd11710c60) at block.c:5876 #26 bdrv_set_backing_hd (bs=bs@entry=0x55c9d3cc2060, backing_hd=backing_hd@entry=0x55c9d3d27300, errp=errp@entry=0x7ffd11710c60) at block.c:2576 #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150 ... Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]> Message-Id: <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: John Snow <[email protected]> Signed-off-by: Max Reitz <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block.c b/block.c index 8539f99ac47cdbf0e9b823751074..3d0134f00b55e0400efc70058d00 100644 --- a/block.c +++ b/block.c @@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, if (bs->backing) { bdrv_unref_child(bs, bs->backing); + bs->backing = NULL; } if (!backing_hd) { - bs->backing = NULL; goto out; } ++++++ bundles.tar.xz ++++++ Binary files old/b0ca999a43a22b38158a222233d3f5881648bb4f.bundle and new/b0ca999a43a22b38158a222233d3f5881648bb4f.bundle differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/repo new/repo --- old/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu.git +https://github.com/openSUSE/qemu.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/SLOF/repo new/roms/SLOF/repo --- old/roms/SLOF/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/SLOF/repo 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ [email protected]:openSUSE/qemu-SLOF.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/edk2/repo new/roms/edk2/repo --- old/roms/edk2/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/edk2/repo 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ [email protected]:openSUSE/qemu-edk2.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/ipxe/repo new/roms/ipxe/repo --- old/roms/ipxe/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/ipxe/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu-ipxe.git +https://github.com/openSUSE/qemu-ipxe.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/openbios/repo new/roms/openbios/repo --- old/roms/openbios/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/openbios/repo 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ [email protected]:openSUSE/qemu-openbios.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/qboot/repo new/roms/qboot/repo --- old/roms/qboot/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/qboot/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu-qboot.git +https://github.com/openSUSE/qemu-qboot.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/seabios/repo new/roms/seabios/repo --- old/roms/seabios/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/seabios/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu-seabios.git +https://github.com/openSUSE/qemu-seabios.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/sgabios/repo new/roms/sgabios/repo --- old/roms/sgabios/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/sgabios/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu-sgabios.git +https://github.com/openSUSE/qemu-sgabios.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/skiboot/repo new/roms/skiboot/repo --- old/roms/skiboot/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/roms/skiboot/repo 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ [email protected]:openSUSE/qemu-skiboot.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/slirp/repo new/slirp/repo --- old/slirp/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/slirp/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu-slirp.git +https://github.com/openSUSE/qemu-slirp.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ui/keycodemapdb/repo new/ui/keycodemapdb/repo --- old/ui/keycodemapdb/repo 2019-12-12 23:25:12.000000000 +0100 +++ new/ui/keycodemapdb/repo 2019-12-12 23:25:12.000000000 +0100 @@ -1 +1 @@ [email protected]:openSUSE/qemu-keycodemapdb.git +https://github.com/openSUSE/qemu-keycodemapdb.git ++++++ config.sh ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:09.611576278 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:09.611576278 +0200 @@ -67,6 +67,17 @@ ~/git/qemu-edk2-openssl-pyca-cryptography ) +# TEMPORARY! FOR NOW WE REQUIRE THESE LOCALLY TO DO WORK ON PACKAGE +REQUIRED_LOCAL_REPO_MAP=( + ~/git/qemu-opensuse + ~/git/qemu-seabios + ~/git/qemu-ipxe + ~/git/qemu-sgabios + ~/git/qemu-keycodemapdb + ~/git/qemu-slirp + ~/git/qemu-qboot +) + PATCH_PATH_MAP=( "" "roms/seabios/" ++++++ configure-remove-pkgversion-from-CONFIG_.patch ++++++ From: Bruce Rogers <[email protected]> Date: Fri, 17 Apr 2020 13:07:37 -0600 Subject: configure: remove $pkgversion from CONFIG_STAMP input to broaden compatibility As part of the effort to close the gap with Leap I think we are fine removing the $pkgversion component to creating a unique CONFIG_STAMP. This stamp is only used in creating a unique symbol used in ensuring the dynamically loaded modules correspond correctly to the loading qemu. The default inputs to producing this unique symbol are somewhat reasonable as a generic mechanism, but specific packaging and maintenance practices might require the default to be modified for best use. This is an example of that. Signed-off-by: Bruce Rogers <[email protected]> --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 94984691ab378620ac2e0ae771ca..c68e378776336748b227013a1a3f 100755 --- a/configure +++ b/configure @@ -6811,7 +6811,7 @@ fi if test "$modules" = "yes"; then # $shacmd can generate a hash started with digit, which the compiler doesn't # like as an symbol. So prefix it with an underscore - echo "CONFIG_STAMP=_$( (echo $qemu_version; echo $pkgversion; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak + echo "CONFIG_STAMP=_$( (echo $qemu_version; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak echo "CONFIG_MODULES=y" >> $config_host_mak fi if test "$have_x11" = "yes" && test "$need_x11" = "yes"; then ++++++ hmp-vnc-Fix-info-vnc-list-leak.patch ++++++ From: "Dr. David Alan Gilbert" <[email protected]> Date: Mon, 23 Mar 2020 12:08:22 +0000 Subject: hmp/vnc: Fix info vnc list leak Git-commit: d4ff109373ce871928c7e9ef648973eba642b484 We're iterating the list, and then freeing the iteration pointer rather than the list head. Fixes: 0a9667ecdb6d ("hmp: Update info vnc") Reported-by: Coverity (CID 1421932) Signed-off-by: Dr. David Alan Gilbert <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- monitor/hmp-cmds.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c index b2551c16d129291068ce64b5f1fd..2fdc84ec995449b5139a89575e18 100644 --- a/monitor/hmp-cmds.c +++ b/monitor/hmp-cmds.c @@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server) void hmp_info_vnc(Monitor *mon, const QDict *qdict) { - VncInfo2List *info2l; + VncInfo2List *info2l, *info2l_head; Error *err = NULL; info2l = qmp_query_vnc_servers(&err); + info2l_head = info2l; if (err) { hmp_handle_error(mon, &err); return; @@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict) info2l = info2l->next; } - qapi_free_VncInfo2List(info2l); + qapi_free_VncInfo2List(info2l_head); } #endif ++++++ hw-i386-disable-smbus-migration-for-xenf.patch ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:09.659576378 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:09.659576378 +0200 @@ -23,23 +23,21 @@ Signed-off-by: Olaf Hering <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> +[BR: Adjust implementation to simply call pc_i440fx_3_1_machine_options] --- - hw/i386/pc_piix.c | 5 +++++ - 1 file changed, 5 insertions(+) + hw/i386/pc_piix.c | 2 ++ + 1 file changed, 2 insertions(+) diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c -index d760d3589607daf4997ea76854c4..7bf1021200a3baa06a58fa36c430 100644 +index d760d3589607daf4997ea76854c4..000e692d0e5af449270214ea9345 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c -@@ -1043,6 +1043,11 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, +@@ -1043,6 +1043,8 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, #ifdef CONFIG_XEN static void xenfv_machine_options(MachineClass *m) { + /* compat with pc_i440fx_3_1_machine_options */ -+ PCMachineClass *pcmc = PC_MACHINE_CLASS(m); -+ pcmc->do_not_add_smb_acpi = true; -+ m->smbus_no_migration_support = true; -+ pcmc->pvh_enabled = false; /* FIXME */ ++ pc_i440fx_3_1_machine_options(m); m->desc = "Xen Fully-virtualized PC"; m->max_cpus = HVM_MAX_VCPUS; m->default_machine_opts = "accel=xen"; ++++++ iscsi-Cap-block-count-from-GET-LBA-STATU.patch ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:09.707576479 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:09.707576479 +0200 @@ -3,6 +3,7 @@ Subject: iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) Git-commit: 693fd2acdf14dd86c0bf852610f1c2cca80a74dc +References: bsc#1166240, CVE-2020-1711 When querying an iSCSI server for the provisioning status of blocks (via GET LBA STATUS), Qemu only validates that the response descriptor zero's ++++++ migration-colo-fix-use-after-free-of-loc.patch ++++++ From: Vladimir Sementsov-Ogievskiy <[email protected]> Date: Tue, 24 Mar 2020 18:36:28 +0300 Subject: migration/colo: fix use after free of local_err Git-commit: 27d07fcfa70c3afa0664288cbce5334ed9595a3a local_err is used again in secondary_vm_do_failover() after replication_stop_all(), so we must zero it. Otherwise try to set non-NULL local_err will crash. Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]> Message-Id: <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- migration/colo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/migration/colo.c b/migration/colo.c index 2c88aa57a29307963a15fc017b1d..6d46800aa6a2617521a36cc0dc33 100644 --- a/migration/colo.c +++ b/migration/colo.c @@ -92,6 +92,7 @@ static void secondary_vm_do_failover(void) replication_stop_all(true, &local_err); if (local_err) { error_report_err(local_err); + local_err = NULL; } /* Notify all filters of all NIC to do checkpoint */ ++++++ migration-ram-fix-use-after-free-of-loca.patch ++++++ From: Vladimir Sementsov-Ogievskiy <[email protected]> Date: Tue, 24 Mar 2020 18:36:29 +0300 Subject: migration/ram: fix use after free of local_err Git-commit: b4a1733c5e6827c72b0dcfa295e07ef7b1ebccff local_err is used again in migration_bitmap_sync_precopy() after precopy_notify(), so we must zero it. Otherwise try to set non-NULL local_err will crash. Signed-off-by: Vladimir Sementsov-Ogievskiy <[email protected]> Message-Id: <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- migration/ram.c | 1 + 1 file changed, 1 insertion(+) diff --git a/migration/ram.c b/migration/ram.c index b6de7d1d5552a0aa39b0d232c2d6..c44542175da044c78ef8dc0ce612 100644 --- a/migration/ram.c +++ b/migration/ram.c @@ -1906,6 +1906,7 @@ static void migration_bitmap_sync_precopy(RAMState *rs) */ if (precopy_notify(PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC, &local_err)) { error_report_err(local_err); + local_err = NULL; } migration_bitmap_sync(rs); ++++++ net-tulip-check-frame-size-and-r-w-data-.patch ++++++ From: Prasad J Pandit <[email protected]> Date: Tue, 24 Mar 2020 22:57:22 +0530 Subject: net: tulip: check frame size and r/w data length Git-commit: 8ffb7265af64ec81748335ec8f20e7ab542c3850 References: bsc#1168713, CVE-2020-11102 Tulip network driver while copying tx/rx buffers does not check frame size against r/w data length. This may lead to OOB buffer access. Add check to avoid it. Limit iterations over descriptors to avoid potential infinite loop issue in tulip_xmit_list_update. Reported-by: Li Qiang <[email protected]> Reported-by: Ziming Zhang <[email protected]> Reported-by: Jason Wang <[email protected]> Tested-by: Li Qiang <[email protected]> Reviewed-by: Li Qiang <[email protected]> Signed-off-by: Prasad J Pandit <[email protected]> Signed-off-by: Jason Wang <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/hw/net/tulip.c b/hw/net/tulip.c index f85f54341fab635a4d5756a6c444..1167c1bb07d74783f3fa47b01996 100644 --- a/hw/net/tulip.c +++ b/hw/net/tulip.c @@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) } else { len = s->rx_frame_len; } + + if (s->rx_frame_len + len > sizeof(s->rx_frame)) { + return; + } pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + (s->rx_frame_size - s->rx_frame_len), len); s->rx_frame_len -= len; @@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) } else { len = s->rx_frame_len; } + + if (s->rx_frame_len + len > sizeof(s->rx_frame)) { + return; + } pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + (s->rx_frame_size - s->rx_frame_len), len); s->rx_frame_len -= len; @@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) trace_tulip_receive(buf, size); - if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { + if (size < 14 || size > sizeof(s->rx_frame) - 4 + || s->rx_frame_len || tulip_rx_stopped(s)) { return 0; } @@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, return tulip_receive(qemu_get_nic_opaque(nc), buf, size); } - static NetClientInfo net_tulip_info = { .type = NET_CLIENT_DRIVER_NIC, .size = sizeof(NICState), @@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { /* Internal or external Loopback */ tulip_receive(s, s->tx_frame, s->tx_frame_len); - } else { + } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { qemu_send_packet(qemu_get_queue(s->nic), s->tx_frame, s->tx_frame_len); } @@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) } } -static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) +static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) { int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { + return -1; + } if (len1) { pci_dma_read(&s->dev, desc->buf_addr1, s->tx_frame + s->tx_frame_len, len1); s->tx_frame_len += len1; } + if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { + return -1; + } if (len2) { pci_dma_read(&s->dev, desc->buf_addr2, s->tx_frame + s->tx_frame_len, len2); s->tx_frame_len += len2; } desc->status = (len1 + len2) ? 0 : 0x7fffffff; + + return 0; } static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) @@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) static void tulip_xmit_list_update(TULIPState *s) { +#define TULIP_DESC_MAX 128 + uint8_t i = 0; struct tulip_descriptor desc; if (tulip_ts(s) != CSR5_TS_SUSPENDED) { return; } - for (;;) { + for (i = 0; i < TULIP_DESC_MAX; i++) { tulip_desc_read(s, s->current_tx_desc, &desc); tulip_dump_tx_descriptor(s, &desc); @@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) s->tx_frame_len = 0; } - tulip_copy_tx_buffers(s, &desc); - - if (desc.control & TDES1_LS) { - tulip_tx(s, &desc); + if (!tulip_copy_tx_buffers(s, &desc)) { + if (desc.control & TDES1_LS) { + tulip_tx(s, &desc); + } } } tulip_desc_write(s, s->current_tx_desc, &desc); ++++++ ppc-ppc405_boards-Remove-unnecessary-NUL.patch ++++++ From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> Date: Fri, 20 Mar 2020 16:57:40 +0100 Subject: ppc/ppc405_boards: Remove unnecessary NULL check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 1583794b9b36911df116cc726750dadbeeac506a This code is inside the "if (dinfo)" condition, so testing again here whether it is NULL is unnecessary. Fixes: dd59bcae7 (Don't size flash memory to match backing image) Reported-by: Coverity (CID 1421917) Suggested-by: Peter Maydell <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Reviewed-by: Markus Armbruster <[email protected]> Signed-off-by: David Gibson <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/ppc/ppc405_boards.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c index 1f721feed6a4bfc128187aefb5d9..556f3a80ec1ddbc018e00941c5c5 100644 --- a/hw/ppc/ppc405_boards.c +++ b/hw/ppc/ppc405_boards.c @@ -184,7 +184,7 @@ static void ref405ep_init(MachineState *machine) bios_size = 8 * MiB; pflash_cfi02_register((uint32_t)(-bios_size), "ef405ep.bios", bios_size, - dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, + blk_by_legacy_dinfo(dinfo), 64 * KiB, 1, 2, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, 1); @@ -450,7 +450,7 @@ static void taihu_405ep_init(MachineState *machine) bios_size = 2 * MiB; pflash_cfi02_register(0xFFE00000, "taihu_405ep.bios", bios_size, - dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, + blk_by_legacy_dinfo(dinfo), 64 * KiB, 1, 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, 1); @@ -486,7 +486,7 @@ static void taihu_405ep_init(MachineState *machine) if (dinfo) { bios_size = 32 * MiB; pflash_cfi02_register(0xfc000000, "taihu_405ep.flash", bios_size, - dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, + blk_by_legacy_dinfo(dinfo), 64 * KiB, 1, 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, 1); ++++++ qcow2-List-autoclear-bit-names-in-header.patch ++++++ From: Eric Blake <[email protected]> Date: Tue, 24 Mar 2020 12:42:31 -0500 Subject: qcow2: List autoclear bit names in header Git-commit bb40ebce2cb0bd4bf37968074d43d5a864fb6dee The feature table is supposed to advertise the name of all feature bits that we support; however, we forgot to update the table for autoclear bits. While at it, move the table to read-only memory in code, and tweak the qcow2 spec to name the second autoclear bit. Update iotests that are affected by the longer header length. Fixes: 88ddffae Fixes: 93c24936 Signed-off-by: Eric Blake <[email protected]> Reviewed-by: Vladimir Sementsov-Ogievskiy <[email protected]> Message-Id: <[email protected]> Signed-off-by: Max Reitz <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- block/qcow2.c | 12 +++++++++++- docs/interop/qcow2.txt | 3 ++- tests/qemu-iotests/031.out | 8 ++++---- tests/qemu-iotests/036.out | 4 ++-- tests/qemu-iotests/061.out | 14 +++++++------- 5 files changed, 26 insertions(+), 15 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index 13e118e16f02f371c0f23c7aaa8d..77edd98be6fbaf0949dcb7755e48 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -2822,7 +2822,7 @@ int qcow2_update_header(BlockDriverState *bs) /* Feature table */ if (s->qcow_version >= 3) { - Qcow2Feature features[] = { + static const Qcow2Feature features[] = { { .type = QCOW2_FEAT_TYPE_INCOMPATIBLE, .bit = QCOW2_INCOMPAT_DIRTY_BITNR, @@ -2843,6 +2843,16 @@ int qcow2_update_header(BlockDriverState *bs) .bit = QCOW2_COMPAT_LAZY_REFCOUNTS_BITNR, .name = "lazy refcounts", }, + { + .type = QCOW2_FEAT_TYPE_AUTOCLEAR, + .bit = QCOW2_AUTOCLEAR_BITMAPS_BITNR, + .name = "bitmaps", + }, + { + .type = QCOW2_FEAT_TYPE_AUTOCLEAR, + .bit = QCOW2_AUTOCLEAR_DATA_FILE_RAW_BITNR, + .name = "raw external data", + }, }; ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FEATURE_TABLE, diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt index af5711e5337191d2c01932b0b3d0..8510d74c807927b86cf76a0f6cb8 100644 --- a/docs/interop/qcow2.txt +++ b/docs/interop/qcow2.txt @@ -138,7 +138,8 @@ in the description of a field. bit is unset, the bitmaps extension data must be considered inconsistent. - Bit 1: If this bit is set, the external data file can + Bit 1: Raw external data bit + If this bit is set, the external data file can be read as a consistent standalone raw image without looking at the qcow2 metadata. diff --git a/tests/qemu-iotests/031.out b/tests/qemu-iotests/031.out index 68a74d03b9971ea8946e8fce41d6..f1941300d817ef1026046891c4df 100644 --- a/tests/qemu-iotests/031.out +++ b/tests/qemu-iotests/031.out @@ -117,7 +117,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> Header extension: @@ -150,7 +150,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> Header extension: @@ -164,7 +164,7 @@ No errors were found on the image. magic 0x514649fb version 3 -backing_file_offset 0x178 +backing_file_offset 0x1d8 backing_file_size 0x17 cluster_bits 16 size 67108864 @@ -188,7 +188,7 @@ data 'host_device' Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> Header extension: diff --git a/tests/qemu-iotests/036.out b/tests/qemu-iotests/036.out index e489b443866c515b42be344a9b85..3c19fa1edee7aeee1589a1c68366 100644 --- a/tests/qemu-iotests/036.out +++ b/tests/qemu-iotests/036.out @@ -58,7 +58,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> @@ -86,7 +86,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> *** done diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out index d6a7c2af95f2dcff314f425fd6a3..f98c098b5431072d4e54de1475cc 100644 --- a/tests/qemu-iotests/061.out +++ b/tests/qemu-iotests/061.out @@ -26,7 +26,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> magic 0x514649fb @@ -84,7 +84,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> magic 0x514649fb @@ -140,7 +140,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> ERROR cluster 5 refcount=0 reference=1 @@ -195,7 +195,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> magic 0x514649fb @@ -264,7 +264,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> read 65536/65536 bytes at offset 44040192 @@ -298,7 +298,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> ERROR cluster 5 refcount=0 reference=1 @@ -327,7 +327,7 @@ header_length 104 Header extension: magic 0x6803f857 -length 192 +length 288 data <binary> read 131072/131072 bytes at offset 0 ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:09.879576838 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:09.879576838 +0200 @@ -942,7 +942,7 @@ cd %mybuilddir %endif -%{_builddir}/%buildsubdir/configure \ +../%buildsubdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ --libdir=%_libdir \ @@ -1180,11 +1180,7 @@ %endif make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms bios \ -%if 0%{?is_opensuse} == 0 - SEABIOS_EXTRAVERSION="-rebuilt.suse.com" \ -%else SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \ -%endif %ifnarch %ix86 x86_64 HOSTCC=cc \ %endif ++++++ s390x-protvirt-Support-unpack-facility.patch ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:09.943576971 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:09.943576971 +0200 @@ -69,7 +69,7 @@ obj-y += ap-device.o obj-y += ap-bridge.o diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c -index ca544d64c5e04782fb49d12521d5..73e5210b4d4e7ad912cfe5475ac4 100644 +index ca544d64c5e04782fb49d12521d5..c343cfb0bed4272cecf31207dae8 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -1,10 +1,11 @@ @@ -139,7 +139,7 @@ + + cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr, + ipib_pv->pv_header_len); -+ rc = s390_pv_set_sec_parms((uint64_t)(uintptr_t)hdr, ++ rc = s390_pv_set_sec_parms((uintptr_t)hdr, + ipib_pv->pv_header_len); + g_free(hdr); + return rc; ++++++ s390x-s390-virtio-ccw-Fix-build-on-syste.patch ++++++ From: Christian Borntraeger <[email protected]> Date: Mon, 6 Apr 2020 06:01:58 -0400 Subject: s390x/s390-virtio-ccw: Fix build on systems without KVM References: bsc#1167075 linux/kvm.h is not available on all platforms. Let us move s390_machine_inject_pv_error into pv.c as it uses KVM structures. Also rename the function to s390_pv_inject_reset_error. While at it, ipl.h needs an include for "exec/address-spaces.h" as it uses address_space_memory. Fixes: 49fc3220175e ("s390x: protvirt: Support unpack facility") Reported-by: Bruce Rogers <[email protected]> Signed-off-by: Christian Borntraeger <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/s390x/ipl.h | 1 + hw/s390x/pv.c | 11 +++++++++++ hw/s390x/s390-virtio-ccw.c | 12 +----------- include/hw/s390x/pv.h | 3 +++ 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 89b3044d7a2ee54014daa8eeafc9..53cc9eb5ac4d326b2b61bf1668a8 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -14,6 +14,7 @@ #define HW_S390_IPL_H #include "cpu.h" +#include "exec/address-spaces.h" #include "hw/qdev-core.h" struct IPLBlockPVComp { diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c index 8cf5cd2c9bcd48b03af1e546fb3a..2c4d5e89890b7d21abdcd718c2f2 100644 --- a/hw/s390x/pv.c +++ b/hw/s390x/pv.c @@ -13,8 +13,10 @@ #include <linux/kvm.h> +#include "cpu.h" #include "qemu/error-report.h" #include "sysemu/kvm.h" +#include "hw/s390x/ipl.h" #include "hw/s390x/pv.h" static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data) @@ -96,3 +98,12 @@ void s390_pv_unshare(void) { s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL); } + +void s390_pv_inject_reset_error(CPUState *cs) +{ + int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; + CPUS390XState *env = &S390_CPU(cs)->env; + + /* Report that we are unable to enter protected mode */ + env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; +} diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index 85250bf046ed72313b03c6ff6c54..5df455e065504bc0eef0f1f084dc 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -44,7 +44,6 @@ #include "sysemu/sysemu.h" #include "sysemu/balloon.h" #include "hw/s390x/pv.h" -#include <linux/kvm.h> #include "migration/blocker.h" static Error *pv_mig_blocker; @@ -392,15 +391,6 @@ out_err: return rc; } -static void s390_machine_inject_pv_error(CPUState *cs) -{ - int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; - CPUS390XState *env = &S390_CPU(cs)->env; - - /* Report that we are unable to enter protected mode */ - env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; -} - static void s390_pv_prepare_reset(S390CcwMachineState *ms) { CPUState *cs; @@ -486,7 +476,7 @@ static void s390_machine_reset(MachineState *machine) run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL); if (s390_machine_protect(ms)) { - s390_machine_inject_pv_error(cs); + s390_pv_inject_reset_error(cs); /* * Continue after the diag308 so the guest knows something * went wrong. diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h index c6cb360f2f6a0a32a37970769e1b..522ca6a04ee877940ff1de9f410b 100644 --- a/include/hw/s390x/pv.h +++ b/include/hw/s390x/pv.h @@ -13,6 +13,7 @@ #define HW_S390_PV_H #ifdef CONFIG_KVM +#include "cpu.h" #include "hw/s390x/s390-virtio-ccw.h" static inline bool s390_is_pv(void) @@ -41,6 +42,7 @@ int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak); void s390_pv_perf_clear_reset(void); int s390_pv_verify(void); void s390_pv_unshare(void); +void s390_pv_inject_reset_error(CPUState *cs); #else /* CONFIG_KVM */ static inline bool s390_is_pv(void) { return false; } static inline int s390_pv_vm_enable(void) { return 0; } @@ -50,6 +52,7 @@ static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { static inline void s390_pv_perf_clear_reset(void) {} static inline int s390_pv_verify(void) { return 0; } static inline void s390_pv_unshare(void) {} +static inline void s390_pv_inject_reset_error(CPUState *cs) {}; #endif /* CONFIG_KVM */ #endif /* HW_S390_PV_H */ ++++++ scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch ++++++ From: Christophe de Dinechin <[email protected]> Date: Fri, 28 Feb 2020 16:00:59 +0100 Subject: scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 4ce1e15fbc7266a108a7c77a3962644b3935346e Compile error reported by gcc 10.0.1: scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: scsi/qemu-pr-helper.c:523:32: error: array subscript <unknown> is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] 523 | paramp.trnptid_list[paramp.num_transportid++] = id; | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from scsi/qemu-pr-helper.c:36: /usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ 168 | struct transportid *trnptid_list[]; | ^~~~~~~~~~~~ scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ 424 | struct prout_param_descriptor paramp; | ^~~~~~ This highlights an actual implementation issue in function multipath_pr_out. The variable paramp is declared with type `struct prout_param_descriptor`, which is a struct terminated by an empty array in mpath_persist.h: struct transportid *trnptid_list[]; That empty array was filled with code that looked like that: trnptid_list[paramp.descr.num_transportid++] = id; This is an actual out-of-bounds access. The fix is to malloc `paramp`. Signed-off-by: Christophe de Dinechin <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- scsi/qemu-pr-helper.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c index debb18f4aa5d55a1720587cf82ea..38c273de19573ad8421da6439153 100644 --- a/scsi/qemu-pr-helper.c +++ b/scsi/qemu-pr-helper.c @@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, int rq_servact = cdb[1]; int rq_scope = cdb[2] >> 4; int rq_type = cdb[2] & 0xf; - struct prout_param_descriptor paramp; + g_autofree struct prout_param_descriptor *paramp = NULL; char transportids[PR_HELPER_DATA_SIZE]; int r; + paramp = g_malloc0(sizeof(struct prout_param_descriptor) + + sizeof(struct transportid *) * MPATH_MX_TIDS); + if (sz < PR_OUT_FIXED_PARAM_SIZE) { /* Illegal request, Parameter list length error. This isn't fatal; * we have read the data, send an error without closing the socket. @@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, * used by libmpathpersist (which, of course, will immediately * do the opposite). */ - memset(¶mp, 0, sizeof(paramp)); - memcpy(¶mp.key, ¶m[0], 8); - memcpy(¶mp.sa_key, ¶m[8], 8); - paramp.sa_flags = param[20]; + memcpy(¶mp->key, ¶m[0], 8); + memcpy(¶mp->sa_key, ¶m[8], 8); + paramp->sa_flags = param[20]; if (sz > PR_OUT_FIXED_PARAM_SIZE) { size_t transportid_len; int i, j; @@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, return CHECK_CONDITION; } - paramp.trnptid_list[paramp.num_transportid++] = id; + assert(paramp->num_transportid < MPATH_MX_TIDS); + paramp->trnptid_list[paramp->num_transportid++] = id; } } r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, - ¶mp, noisy, verbose); + paramp, noisy, verbose); return mpath_reconstruct_sense(fd, r, sense); } #endif ++++++ sheepdog-Consistently-set-bdrv_has_zero_.patch ++++++ From: Eric Blake <[email protected]> Date: Tue, 24 Mar 2020 12:42:33 -0500 Subject: sheepdog: Consistently set bdrv_has_zero_init_truncate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: ed049910637be991c88cc25c864115bc5b1e4dab block_int.h claims that .bdrv_has_zero_init must return 0 if .bdrv_has_zero_init_truncate does likewise; but this is violated if only the former callback is provided if .bdrv_co_truncate also exists. When adding the latter callback, it was mistakenly added to only one of the three possible sheepdog instantiations. Fixes: 1dcaf527 Signed-off-by: Eric Blake <[email protected]> Message-Id: <[email protected]> Reviewed-by: John Snow <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Max Reitz <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- block/sheepdog.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/block/sheepdog.c b/block/sheepdog.c index cfa84338a2d6b653ce243ae53c7a..522c16a936762ff00ee23a5e9ca3 100644 --- a/block/sheepdog.c +++ b/block/sheepdog.c @@ -3269,6 +3269,7 @@ static BlockDriver bdrv_sheepdog_tcp = { .bdrv_co_create = sd_co_create, .bdrv_co_create_opts = sd_co_create_opts, .bdrv_has_zero_init = bdrv_has_zero_init_1, + .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, .bdrv_getlength = sd_getlength, .bdrv_get_allocated_file_size = sd_get_allocated_file_size, .bdrv_co_truncate = sd_co_truncate, @@ -3307,6 +3308,7 @@ static BlockDriver bdrv_sheepdog_unix = { .bdrv_co_create = sd_co_create, .bdrv_co_create_opts = sd_co_create_opts, .bdrv_has_zero_init = bdrv_has_zero_init_1, + .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, .bdrv_getlength = sd_getlength, .bdrv_get_allocated_file_size = sd_get_allocated_file_size, .bdrv_co_truncate = sd_co_truncate, ++++++ spapr-Fix-failure-path-for-attempting-to.patch ++++++ From: David Gibson <[email protected]> Date: Thu, 26 Mar 2020 16:12:40 +1100 Subject: spapr: Fix failure path for attempting to hot unplug PCI bridges Git-commit: 7aab5899764887f6b0512cb2e5c11bdc2a5d3644 For various technical reasons we can't currently allow unplug a PCI to PCI bridge on the pseries machine. spapr_pci_unplug_request() correctly generates an error message if that's attempted. But.. if the given errp is not error_abort or error_fatal, it doesn't actually stop trying to unplug the bridge anyway. Fixes: 14e714900f6b "spapr: Allow hot plug/unplug of PCI bridges and devices under PCI bridges" Signed-off-by: David Gibson <[email protected]> Reviewed-by: Greg Kurz <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/ppc/spapr_pci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c index f6fbcf99edaaf9844fe669951716..5b544adb4a4d7868cf17d6534e19 100644 --- a/hw/ppc/spapr_pci.c +++ b/hw/ppc/spapr_pci.c @@ -1663,6 +1663,7 @@ static void spapr_pci_unplug_request(HotplugHandler *plug_handler, if (pc->is_bridge) { error_setg(errp, "PCI: Hot unplug of PCI bridges not supported"); + return; } /* ensure any other present functions are pending unplug */ ++++++ supported.arm.txt ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:10.015577122 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:10.015577122 +0200 @@ -28,7 +28,8 @@ QEMU is a primary component of KVM based virtualization. The QEMU emulator binary qemu-system-aarch64 is the program to use to access KVM virtualization. When using this program, the -machine option accel=kvm (or its alias - -enable-kvm) must be specified for KVM acceleration to be used by the guest. + -enable-kvm) or --accel kvm option must be specified for KVM acceleration to + be used by the guest. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -134,6 +135,10 @@ - GlusterFS integration is not enabled. +- 32 bit ARM KVM has never been supported by SUSE, but it's worth noting that + this capability will cease to even be possible in a near-future QEMU/KVM + (kernel) combination. + Deprecated, Superseded, Modified and Dropped Features ----------------------------------------------------- @@ -163,8 +168,11 @@ considered deprecated. In the future those names will be standardized to acpitable, boot, and smp respectively. -- This previously supported command line options is now considered deprecated: - -device scsi-disk (use scsi-hd or scsi-cd) +- These previously supported command line options are now considered deprecated: + -device scsi-disk (use scsi-hd or scsi-cd instead) + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock- instead) - These previously supported command line options are no longer supported: <previously mentioned items have been moved to another category> ++++++ supported.ppc.txt ++++++ ++++ 789 lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/qemu/supported.ppc.txt ++++ and /work/SRC/openSUSE:Leap:15.2/.qemu.new.2738/supported.ppc.txt ++++++ supported.s390.txt ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:10.055577205 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:10.055577205 +0200 @@ -29,8 +29,8 @@ program is available for continuity with pre SLES 12 usage, including in libvirt domain xml references. The QEMU emulator binary qemu-system-s390x is now the primary program to use to access KVM virtualization. When using this - program, the -machine option accel=kvm (or its alias -enable-kvm) must be - specified for KVM acceleration to be used by the guest. + program, the -machine option accel=kvm (or its alias -enable-kvm) or --accel + kvm option must be specified for KVM acceleration to be used by the guest. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -164,8 +164,10 @@ considered deprecated. In the future those names will be standardized to acpitable, boot, and smp respectively. -- These previously supported command line options are now considered deprecated: - <none> +- This previously supported command line option is now considered deprecated: + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock= instead) - These previously supported command line options are no longer supported: <previously mentioned items have been moved to another category> ++++++ supported.x86.txt ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:10.079577255 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:10.079577255 +0200 @@ -30,9 +30,10 @@ libvirt domain xml references. The QEMU emulator binaries qemu-system-x86_64 and qemu-system-i386 (x86 host) are now the primary programs to use to access KVM virtualization. When using these programs, the -machine option accel=kvm - (or its alias -enable-kvm) must be specified for KVM acceleration to be - used by the guest. Although Xen uses QEMU for virtualization as well, this - document does not identify Xen supported features. + (or its alias -enable-kvm), or --accel kvm option must be specified for KVM + acceleration to be used by the guest. Although Xen uses QEMU for + virtualization as well, this document does not identify Xen supported + features. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -208,8 +209,11 @@ deprecated. - These previously supported command line options are now considered deprecated: - -device ide-drive (use ide-hd or ide-cd) - -device scsi-disk (use scsi-hd or scsi-cd) + -device ide-drive (use ide-hd or ide-cd instead) + -device scsi-disk (use scsi-hd or scsi-cd instead) + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock= instead) - These previously supported command line options are no longer supported: <previously mentioned items have been moved to another category> ++++++ target-arm-Fix-PAuth-sbox-functions.patch ++++++ From: Vincent Dehors <[email protected]> Date: Thu, 23 Jan 2020 15:22:38 +0000 Subject: target/arm: Fix PAuth sbox functions Git-commit: de0b1bae6461f67243282555475f88b2384a1eb9 References: bsc#1168681, CVE-2020-10702 In the PAC computation, sbox was applied over wrong bits. As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was used to verify one computation of the pauth_computepac() function which uses sbox2. Launchpad: https://bugs.launchpad.net/bugs/1859713 Reviewed-by: Richard Henderson <[email protected]> Signed-off-by: Vincent DEHORS <[email protected]> Signed-off-by: Adrien GRASSEIN <[email protected]> Message-id: [email protected] Reviewed-by: Peter Maydell <[email protected]> Signed-off-by: Peter Maydell <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- target/arm/pauth_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c index d3194f20437b717ec1cc13a1003e..0a5f41e10c5f03d85a727b2b7c42 100644 --- a/target/arm/pauth_helper.c +++ b/target/arm/pauth_helper.c @@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) uint64_t o = 0; int b; - for (b = 0; b < 64; b += 16) { + for (b = 0; b < 64; b += 4) { o |= (uint64_t)sub[(i >> b) & 0xf] << b; } return o; @@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) uint64_t o = 0; int b; - for (b = 0; b < 64; b += 16) { + for (b = 0; b < 64; b += 4) { o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; } return o; ++++++ target-i386-do-not-set-unsupported-VMX-s.patch ++++++ From: Vitaly Kuznetsov <[email protected]> Date: Tue, 31 Mar 2020 18:27:52 +0200 Subject: target/i386: do not set unsupported VMX secondary execution controls Git-commit: 4a910e1f6ab4155ec8b24c49b2585cc486916985 Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") added a workaround for KVM pre-dating commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm KVM_GET_MSRS") which wasn't setting certain available controls. The workaround uses generic CPUID feature bits to set missing VMX controls. It was found that in some cases it is possible to observe hosts which have certain CPUID features but lack the corresponding VMX control. In particular, it was reported that Azure VMs have RDSEED but lack VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature bit result in QEMU abort. Resolve the issue but not applying the workaround when we don't have to. As there is no good way to find out if KVM has the fix itself, use 95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead as these [are supposed to] come together. Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") Suggested-by: Paolo Bonzini <[email protected]> Signed-off-by: Vitaly Kuznetsov <[email protected]> Message-Id: <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- target/i386/kvm.c | 41 ++++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/target/i386/kvm.c b/target/i386/kvm.c index b8ea67a644c802358826a840bdf1..91cd4976e262ad6bbb83206114b3 100644 --- a/target/i386/kvm.c +++ b/target/i386/kvm.c @@ -105,6 +105,7 @@ static bool has_msr_smi_count; static bool has_msr_arch_capabs; static bool has_msr_core_capabs; static bool has_msr_vmx_vmfunc; +static bool has_msr_vmx_procbased_ctls2; static uint32_t has_architectural_pmu_version; static uint32_t num_architectural_pmu_gp_counters; @@ -489,21 +490,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) value = msr_data.entries[0].data; switch (index) { case MSR_IA32_VMX_PROCBASED_CTLS2: - /* KVM forgot to add these bits for some time, do this ourselves. */ - if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & CPUID_XSAVE_XSAVES) { - value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; - } - if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND) { - value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; - } - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_INVPCID) { - value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; - } - if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_RDSEED) { - value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; - } - if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & CPUID_EXT2_RDTSCP) { - value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; + if (!has_msr_vmx_procbased_ctls2) { + /* KVM forgot to add these bits for some time, do this ourselves. */ + if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & + CPUID_XSAVE_XSAVES) { + value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; + } + if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & + CPUID_EXT_RDRAND) { + value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; + } + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & + CPUID_7_0_EBX_INVPCID) { + value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; + } + if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & + CPUID_7_0_EBX_RDSEED) { + value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; + } + if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & + CPUID_EXT2_RDTSCP) { + value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; + } } /* fall through */ case MSR_IA32_VMX_TRUE_PINBASED_CTLS: @@ -2056,6 +2064,9 @@ static int kvm_get_supported_msrs(KVMState *s) case MSR_IA32_VMX_VMFUNC: has_msr_vmx_vmfunc = true; break; + case MSR_IA32_VMX_PROCBASED_CTLS2: + has_msr_vmx_procbased_ctls2 = true; + break; } } } ++++++ target-xtensa-fix-pasto-in-pfwait.r-opco.patch ++++++ From: Max Filippov <[email protected]> Date: Wed, 26 Feb 2020 12:43:52 -0800 Subject: target/xtensa: fix pasto in pfwait.r opcode name Git-commit: 1a03362b14affa4d8ddede55df6e21d7a07b87c2 Core xtensa opcode table has pfwait.o instead of pfwait.r. Fix that. Fixes: c884400f2988 ("target/xtensa: implement block prefetch option opcodes") Signed-off-by: Max Filippov <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- target/xtensa/translate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c index a99f5296e2f4f1d01fd21cfb3fd0..2ec0e5a047ed0e9b9c0926518649 100644 --- a/target/xtensa/translate.c +++ b/target/xtensa/translate.c @@ -3740,7 +3740,7 @@ static const XtensaOpcodeOps core_ops[] = { .name = "pfwait.a", .translate = translate_nop, }, { - .name = "pfwait.o", + .name = "pfwait.r", .translate = translate_nop, }, { .name = "pitlb", ++++++ tcg-i386-Fix-INDEX_op_dup2_vec.patch ++++++ From: Richard Henderson <[email protected]> Date: Sat, 28 Mar 2020 18:16:10 -0700 Subject: tcg/i386: Fix INDEX_op_dup2_vec Git-commit: e20cb81d9c5a3d0f9c08f3642728a210a1c162c9 We were only constructing the 64-bit element, and not replicating the 64-bit element across the rest of the vector. Cc: [email protected] Signed-off-by: Richard Henderson <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- tcg/i386/tcg-target.inc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tcg/i386/tcg-target.inc.c b/tcg/i386/tcg-target.inc.c index 9d8ed974e011152d2df4cba613ad..77b78c941c5afcd065a8e153dca7 100644 --- a/tcg/i386/tcg-target.inc.c +++ b/tcg/i386/tcg-target.inc.c @@ -2855,9 +2855,13 @@ static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, goto gen_simd; #if TCG_TARGET_REG_BITS == 32 case INDEX_op_dup2_vec: - /* Constraints have already placed both 32-bit inputs in xmm regs. */ - insn = OPC_PUNPCKLDQ; - goto gen_simd; + /* First merge the two 32-bit inputs to a single 64-bit element. */ + tcg_out_vex_modrm(s, OPC_PUNPCKLDQ, a0, a1, a2); + /* Then replicate the 64-bit elements across the rest of the vector. */ + if (type != TCG_TYPE_V64) { + tcg_out_dup_vec(s, type, MO_64, a0, a0); + } + break; #endif case INDEX_op_abs_vec: insn = abs_insn[vece]; ++++++ tcg-mips-mips-sync-encode-error.patch ++++++ From: lixinyu <[email protected]> Date: Sat, 11 Apr 2020 20:46:12 +0800 Subject: tcg/mips: mips sync* encode error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: a4e57084c16d5b0eff3651693fba04f26b30b551 OPC_SYNC_WMB, OPC_SYNC_MB, OPC_SYNC_ACQUIRE, OPC_SYNC_RELEASE and OPC_SYNC_RMB have wrong encode. According to the mips manual, their encode should be 'OPC_SYNC | 0x?? << 6' rather than 'OPC_SYNC | 0x?? << 5'. Wrong encode can lead illegal instruction errors. These instructions often appear with multi-threaded simulation. Fixes: 6f0b99104a3 ("tcg/mips: Add support for fence") Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Aleksandar Markovic <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: lixinyu <[email protected]> Message-Id: <[email protected]> Signed-off-by: Richard Henderson <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- tcg/mips/tcg-target.inc.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tcg/mips/tcg-target.inc.c b/tcg/mips/tcg-target.inc.c index 544216704526a4bd24dce51ade83..006835348fe5c5818d89b0806ba3 100644 --- a/tcg/mips/tcg-target.inc.c +++ b/tcg/mips/tcg-target.inc.c @@ -404,11 +404,11 @@ typedef enum { /* MIPS r6 introduced names for weaker variants of SYNC. These are backward compatible to previous architecture revisions. */ - OPC_SYNC_WMB = OPC_SYNC | 0x04 << 5, - OPC_SYNC_MB = OPC_SYNC | 0x10 << 5, - OPC_SYNC_ACQUIRE = OPC_SYNC | 0x11 << 5, - OPC_SYNC_RELEASE = OPC_SYNC | 0x12 << 5, - OPC_SYNC_RMB = OPC_SYNC | 0x13 << 5, + OPC_SYNC_WMB = OPC_SYNC | 0x04 << 6, + OPC_SYNC_MB = OPC_SYNC | 0x10 << 6, + OPC_SYNC_ACQUIRE = OPC_SYNC | 0x11 << 6, + OPC_SYNC_RELEASE = OPC_SYNC | 0x12 << 6, + OPC_SYNC_RMB = OPC_SYNC | 0x13 << 6, /* Aliases for convenience. */ ALIAS_PADD = sizeof(void *) == 4 ? OPC_ADDU : OPC_DADDU, ++++++ update_git.sh ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:10.179577464 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:10.179577464 +0200 @@ -1,4 +1,8 @@ #!/bin/bash +#POKEALL used to document where ALL repos are POKED +#POKEALL? question what repos are actually poked here +#TEMP_CHECK - try to eliminate +# !! FIX AFTER RUN - LEAVING REPO NOT IN GOOD STATE # update_git.sh: script to manage package maintenance using a git-based # workflow. Commands are as follows: @@ -64,16 +68,6 @@ #============================================================================== TEMP_CHECK() { -# TEMPORARY! FOR NOW WE REQUIRE THESE LOCALLY TO DO WORK ON PACKAGE -REQUIRED_LOCAL_REPO_MAP=( - ~/git/qemu-opensuse - ~/git/qemu-seabios - ~/git/qemu-ipxe - ~/git/qemu-sgabios - ~/git/qemu-skiboot - ~/git/qemu-keycodemapdb - ~/git/qemu-qboot -) # Validate that all the local repos that we currently have patches in are available # TEMPORARY REQUIREMENT! @@ -129,22 +123,25 @@ # Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL (conditional on whether it IS there) if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then SUBDIR=${PATCH_PATH_MAP[$i]} GITREPO_COMMIT_ISH=($BUNDLE_DIR/$SUBDIR*.id) if [[ $GITREPO_COMMIT_ISH =~ .*(.{40})[.]id ]]; then GITREPO_COMMIT_ISH=${BASH_REMATCH[1]} echo "Using $GITREPO_COMMIT_ISH" - PATCH_RANGE_INDEX=$i mkdir -p $GIT_DIR/$SUBDIR git -C $GIT_DIR/$SUBDIR init +#POKEALL git -C $GIT_DIR/$SUBDIR remote add origin file://$(readlink -f \ - ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) - git -C $(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) remote get-url origin >$BUNDLE_DIR/$SUBDIR/repo + ${LOCAL_REPO_MAP[$i]}) if [[ $(git -C $GIT_DIR/$SUBDIR ls-remote --heads origin $GIT_BRANCH) ]]; then git -C $GIT_DIR/$SUBDIR fetch origin $GIT_BRANCH if [[ $(git -C $GIT_DIR/$SUBDIR rev-list $GITREPO_COMMIT_ISH..FETCH_HEAD) ]]; then git -C $GIT_DIR/$SUBDIR bundle create $BUNDLE_DIR/$SUBDIR$GITREPO_COMMIT_ISH.bundle $GITREPO_COMMIT_ISH..FETCH_HEAD +#TODO: post-process repo info to avoid un-needed diffs (eg git vs https) +#POKEALL + git -C $(readlink -f ${LOCAL_REPO_MAP[$i]}) remote get-url origin >$BUNDLE_DIR/$SUBDIR/repo fi fi fi @@ -180,12 +177,12 @@ fi for (( i=0; i <$REPO_COUNT; i++ )); do if [[ "$SUBDIR" = "${PATCH_PATH_MAP[$i]}" ]]; then - PATCH_RANGE_INDEX=$i break fi done - LOCAL_REPO=$(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) +#POKEALL ? + LOCAL_REPO=$(readlink -f ${LOCAL_REPO_MAP[$i]}) if [ -e $LOCAL_REPO ]; then git -C $LOCAL_REPO remote remove bundlerepo || true # git won't let you delete a branch we're on - so get onto master temporarily (TODO: is there a better approach?) @@ -283,6 +280,7 @@ tar xJf bundles.tar.xz -C $BUNDLE_DIR # Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if $(git -C ${LOCAL_REPO_MAP[$i]} branch | grep -F "frombundle" >/dev/null); then SUBDIR=${PATCH_PATH_MAP[$i]} @@ -334,15 +332,19 @@ fi for (( i=0; i <$REPO_COUNT; i++ )); do if [[ "$SUBDIR" = "${PATCH_PATH_MAP[$i]}" ]]; then - PATCH_RANGE_INDEX=$i break fi done + if [[ $i = $REPO_COUNT ]]; then + echo "Error matching bundle dir to project submodule path" + exit + fi mkdir -p $GIT_DIR/$SUBDIR git -C $GIT_DIR/$SUBDIR init +#POKEALL? git -C $GIT_DIR/$SUBDIR remote add origin file://$(readlink -f \ - ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) + ${LOCAL_REPO_MAP[$i]}) git -C $GIT_DIR/$SUBDIR fetch origin $GIT_BRANCH git -C $GIT_DIR/$SUBDIR reset --hard $GITREPO_COMMIT_ISH git -C $GIT_DIR/$SUBDIR remote add bundle $BUNDLE_DIR/$entry @@ -350,7 +352,7 @@ git -C $GIT_DIR/$SUBDIR format-patch -N --suffix= --no-renames -o $CMP_DIR -k --stat=72 \ --indent-heuristic --zero-commit --no-signature --full-index \ --src-prefix=a/$SUBDIR --dst-prefix=b/$SUBDIR \ - --start-number=$(expr $PATCH_RANGE_INDEX \* $PATCH_RANGE) \ + --start-number=$(expr $i \* $PATCH_RANGE) \ $GITREPO_COMMIT_ISH..FETCH_HEAD > /dev/null done @@ -584,6 +586,10 @@ if [ -e qemu.changes.added ]; then rm -f qemu.changes.added fi +# Decide if there is a better way to handle the no change case: + if [[ "0" = "$(expr $CHANGED_COUNT + $DELETED_COUNT + $ADDED_COUNT)" ]]; then + osc revert bundles.tar.xz + fi echo "git patch summary" echo " unchanged: $UNCHANGED_COUNT" echo " changed: $CHANGED_COUNT" @@ -611,9 +617,27 @@ #============================================================================== +explain_setup() { +echo "Currently we require local git repos at these locations:" +echo "${REQUIRED_LOCAL_REPO_MAP[@]}" +echo "Where each has as it's remote the uri: https://github.com/opensuse/*.git"; +echo "and where * is replaced by the qemu-whatever, and the remote is named origin" +echo "and the qemu or qemu submodule repos as remotes named upstream" +} + +#============================================================================== + +#?? Should we be LATEST or not specific here? +if [[ ! -e $(readlink -f ${LOCAL_REPO_MAP[0]}) ]]; then + echo "ERROR: Main local QEMU related git repo not found. Please follow these setup instructions:" + explain_setup + exit +fi + echo "WARNING: Script using local git repos. Some operations may be time consuming..." #TODO: Most of these checks are not necessary for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if [[ -d ${LOCAL_REPO_MAP[$i]}/.git/rebase-merge || \ -d ${LOCAL_REPO_MAP[$i]}/.git/rebase-apply ]]; then @@ -660,6 +684,7 @@ fi fi fi +#POKEALL for (( i=0; i <$REPO_COUNT; i++ )); do if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then git -C ${LOCAL_REPO_MAP[$i]} remote update upstream &> /dev/null @@ -692,13 +717,13 @@ WRITE_LOG=0 echo "Processing LATEST upstream changes" echo "(If SUCCESS is not printed upon completion, see /tmp/latest.log for issues)" - TEMP_CHECK + TEMP_CHECK # DOING LATEST if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then OLD_COMMIT_ISH=${BASH_REMATCH[3]} else #Assume release (or release candidate) tarball with equivalent tag: OLD_COMMIT_ISH=$(cd ${LOCAL_REPO_MAP[0]} && git rev-list --abbrev-commit \ - --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) + --abbrev=8 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) fi if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG" @@ -737,10 +762,18 @@ echo "SUCCESS" tail -9 /tmp/latest.log else # not LATEST + if [ ! "$GIT_UPSTREAM_COMMIT_ISH" = "v$OLD_SOURCE_VERSION_AND_EXTRA" ]; then + echo "Tarball name (which we decode) doesn't correspond to the \$GIT_UPSTREAM_COMMIT_ISH in config.sh" + exit + fi git -C ${LOCAL_REPO_MAP[0]} checkout $GIT_UPSTREAM_COMMIT_ISH --recurse-submodules -f &> /dev/null NEW_COMMIT_ISH= SOURCE_VERSION=$OLD_SOURCE_VERSION_AND_EXTRA QEMU_VERSION=$(tar JxfO qemu-$SOURCE_VERSION$VERSION_EXTRA.tar.xz qemu-$SOURCE_VERSION/VERSION) + if [ ! "$QEMU_VERSION" = "$OLD_SOURCE_VERSION_AND_EXTRA" ]; then + echo "Tarball name (which we decode) doesn't correspond to the VERSION file contained therein" + exit + fi MAJOR_VERSION=$(echo $QEMU_VERSION|awk -F. '{print $1}') MINOR_VERSION=$(echo $QEMU_VERSION|awk -F. '{print $2}') GIT_BRANCH=opensuse-$MAJOR_VERSION.$MINOR_VERSION @@ -755,7 +788,7 @@ git2pkg ) echo "Updating the package using the $GIT_BRANCH branch of the local repos." echo "(If SUCCESS is not printed upon completion, see /tmp/git2pkg.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST initbundle &> /tmp/git2pkg.log bundle2spec &>> /tmp/git2pkg.log echo "SUCCESS" @@ -764,7 +797,7 @@ pkg2git ) echo "Exporting the package's git bundles to the local repo's frombundle branches..." echo "(If SUCCESS is not printed upon completion, see /tmp/pkg2git.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST bundle2local &> /tmp/pkg2git.log echo "SUCCESS" echo "To modify package patches, use the frombundle branch as the basis for updating" @@ -775,7 +808,7 @@ echo "Updating the spec file and patches from the spec file template and the bundle" echo "of bundles (bundles.tar.xz)" echo "(If SUCCESS is not printed upon completion, see /tmp/refresh.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST bundle2spec &> /tmp/refresh.log echo "SUCCESS" tail -9 /tmp/refresh.log ++++++ vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch ++++++ --- /var/tmp/diff_new_pack.Dd4YDk/_old 2020-04-21 19:04:10.199577506 +0200 +++ /var/tmp/diff_new_pack.Dd4YDk/_new 2020-04-21 19:04:10.199577506 +0200 @@ -2,7 +2,7 @@ Date: Mon, 2 Mar 2020 12:24:54 +0800 Subject: vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM -References: bsc#1167075 +References: bsc#1167075, bsc#1167445 We turn on device IOTLB via VIRTIO_F_IOMMU_PLATFORM unconditionally on platform without IOMMU support. This can lead unnecessary IOTLB ++++++ vhost-user-gpu-Release-memory-returned-b.patch ++++++ From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> Date: Mon, 23 Mar 2020 12:29:41 +0100 Subject: vhost-user-gpu: Release memory returned by vu_queue_pop() with free() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 4ff97121a3ee631971aadc87e3d4e7fb66f15aa8 vu_queue_pop() returns memory that must be freed with free(). Cc: [email protected] Reported-by: Coverity (CID 1421887 ALLOC_FREE_MISMATCH) Suggested-by: Peter Maydell <[email protected]> Signed-off-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Marc-André Lureau <[email protected]> Signed-off-by: Peter Maydell <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- contrib/vhost-user-gpu/main.c | 4 ++-- contrib/vhost-user-gpu/virgl.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c index b45d2019b46bdfac64b59d5702ae..a019d0a9acea61a7629f1c74c79a 100644 --- a/contrib/vhost-user-gpu/main.c +++ b/contrib/vhost-user-gpu/main.c @@ -848,7 +848,7 @@ vg_handle_ctrl(VuDev *dev, int qidx) QTAILQ_INSERT_TAIL(&vg->fenceq, cmd, next); vg->inflight++; } else { - g_free(cmd); + free(cmd); } } } @@ -939,7 +939,7 @@ vg_handle_cursor(VuDev *dev, int qidx) } vu_queue_push(dev, vq, elem, 0); vu_queue_notify(dev, vq); - g_free(elem); + free(elem); } } diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 43413e29df9d46739c09d2d501df..b0bc22c3c13db0e8b0b450dac19d 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -519,7 +519,7 @@ virgl_write_fence(void *opaque, uint32_t fence) g_debug("FENCE %" PRIu64, cmd->cmd_hdr.fence_id); vg_ctrl_response_nodata(g, cmd, VIRTIO_GPU_RESP_OK_NODATA); QTAILQ_REMOVE(&g->fenceq, cmd, next); - g_free(cmd); + free(cmd); g->inflight--; } } ++++++ vpc-Don-t-round-up-already-aligned-BAT-s.patch ++++++ From: Kevin Wolf <[email protected]> Date: Thu, 2 Apr 2020 11:36:03 +0200 Subject: vpc: Don't round up already aligned BAT sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 3f6de653b946fe849330208becf79d6af7e876cb As reported on Launchpad, Azure apparently doesn't accept images for upload that are not both aligned to 1 MB blocks and have a BAT size that matches the image size exactly. As far as I can tell, there is no real reason why we create a BAT that is one entry longer than necessary for aligned image sizes, so change that. (Even though the condition is only mentioned as "should" in the spec and previous products accepted larger BATs - but we'll try to maintain compatibility with as many of Microsoft's ever-changing interpretations of the VHD spec as possible.) Fixes: https://bugs.launchpad.net/bugs/1870098 Reported-by: Tobias Witek Signed-off-by: Kevin Wolf <[email protected]> Message-Id: <[email protected]> Reviewed-by: Max Reitz <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- block/vpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/vpc.c b/block/vpc.c index a65550298e195af52c51a31d1f9f..21b08033a6ab56115c6258b7ef3c 100644 --- a/block/vpc.c +++ b/block/vpc.c @@ -835,7 +835,7 @@ static int create_dynamic_disk(BlockBackend *blk, uint8_t *buf, /* Write the footer (twice: at the beginning and at the end) */ block_size = 0x200000; - num_bat_entries = (total_sectors + block_size / 512) / (block_size / 512); + num_bat_entries = DIV_ROUND_UP(total_sectors, block_size / 512); ret = blk_pwrite(blk, offset, buf, HEADER_SIZE, 0); if (ret < 0) { ++++++ xen-block-Fix-double-qlist-remove-and-re.patch ++++++ From: Anthony PERARD <[email protected]> Date: Mon, 6 Apr 2020 15:02:17 +0100 Subject: xen-block: Fix double qlist remove and request leak Git-commit: 36d883ba0de8a281072ded2b51e0a711fd002139 Commit a31ca6801c02 ("qemu/queue.h: clear linked list pointers on remove") revealed that a request was removed twice from a list, once in xen_block_finish_request() and a second time in xen_block_release_request() when both function are called from xen_block_complete_aio(). But also, the `requests_inflight' counter is decreased twice, and thus became negative. This is a bug that was introduced in bfd0d6366043 ("xen-block: improve response latency"), where a `finished' list was removed. That commit also introduced a leak of request in xen_block_do_aio(). That function calls xen_block_finish_request() but the request is never released after that. To fix both issue, we do two changes: - we squash finish_request() and release_request() together as we want to remove a request from 'inflight' list to add it to 'freelist'. - before releasing a request, we need to let the other end know the result, thus we should call xen_block_send_response() before releasing a request. The first change fixes the double QLIST_REMOVE() as we remove the extra call. The second change makes the leak go away because if we want to call finish_request(), we need to call a function that does all of finish, send response, and release. Fixes: bfd0d6366043 ("xen-block: improve response latency") Signed-off-by: Anthony PERARD <[email protected]> Message-Id: <[email protected]> Reviewed-by: Paul Durrant <[email protected]> [mreitz: Amended commit message as per Paul's suggestions] Signed-off-by: Max Reitz <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/block/dataplane/xen-block.c | 48 ++++++++++++---------------------- 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/hw/block/dataplane/xen-block.c b/hw/block/dataplane/xen-block.c index 3b9caeb2fa00a1f4eb338fca7a89..c4ed2870ecd779bf40eb4f3eded3 100644 --- a/hw/block/dataplane/xen-block.c +++ b/hw/block/dataplane/xen-block.c @@ -64,6 +64,8 @@ struct XenBlockDataPlane { AioContext *ctx; }; +static int xen_block_send_response(XenBlockRequest *request); + static void reset_request(XenBlockRequest *request) { memset(&request->req, 0, sizeof(request->req)); @@ -115,23 +117,26 @@ out: return request; } -static void xen_block_finish_request(XenBlockRequest *request) +static void xen_block_complete_request(XenBlockRequest *request) { XenBlockDataPlane *dataplane = request->dataplane; - QLIST_REMOVE(request, list); - dataplane->requests_inflight--; -} + if (xen_block_send_response(request)) { + Error *local_err = NULL; -static void xen_block_release_request(XenBlockRequest *request) -{ - XenBlockDataPlane *dataplane = request->dataplane; + xen_device_notify_event_channel(dataplane->xendev, + dataplane->event_channel, + &local_err); + if (local_err) { + error_report_err(local_err); + } + } QLIST_REMOVE(request, list); + dataplane->requests_inflight--; reset_request(request); request->dataplane = dataplane; QLIST_INSERT_HEAD(&dataplane->freelist, request, list); - dataplane->requests_inflight--; } /* @@ -246,7 +251,6 @@ static int xen_block_copy_request(XenBlockRequest *request) } static int xen_block_do_aio(XenBlockRequest *request); -static int xen_block_send_response(XenBlockRequest *request); static void xen_block_complete_aio(void *opaque, int ret) { @@ -286,7 +290,6 @@ static void xen_block_complete_aio(void *opaque, int ret) } request->status = request->aio_errors ? BLKIF_RSP_ERROR : BLKIF_RSP_OKAY; - xen_block_finish_request(request); switch (request->req.operation) { case BLKIF_OP_WRITE: @@ -306,17 +309,8 @@ static void xen_block_complete_aio(void *opaque, int ret) default: break; } - if (xen_block_send_response(request)) { - Error *local_err = NULL; - xen_device_notify_event_channel(dataplane->xendev, - dataplane->event_channel, - &local_err); - if (local_err) { - error_report_err(local_err); - } - } - xen_block_release_request(request); + xen_block_complete_request(request); if (dataplane->more_work) { qemu_bh_schedule(dataplane->bh); @@ -420,8 +414,8 @@ static int xen_block_do_aio(XenBlockRequest *request) return 0; err: - xen_block_finish_request(request); request->status = BLKIF_RSP_ERROR; + xen_block_complete_request(request); return -1; } @@ -575,17 +569,7 @@ static bool xen_block_handle_requests(XenBlockDataPlane *dataplane) break; }; - if (xen_block_send_response(request)) { - Error *local_err = NULL; - - xen_device_notify_event_channel(dataplane->xendev, - dataplane->event_channel, - &local_err); - if (local_err) { - error_report_err(local_err); - } - } - xen_block_release_request(request); + xen_block_complete_request(request); continue; }
